New PhishWP Threat, Illicit Marketplace Live, Codefinger Targets AWS – Cybersecurity News [January 13, 2025]
Cybercriminals are enhancing their capabilities, as evidenced by the latest PhishPWP phishing threat. Similarly, this week’s cybersecurity bulletin highlights the latest ransomware attack on AWS servers, making recovery impossible without the attacker’s key. We also look at how cybercriminals use popular social media channels like Telegram. Zero-day attacks are the most dangerous of all, as they emerge from practically nowhere. This week’s news highlights one such attack on Fortinet FortiGate firewall users. Finally, we round off a reputed university shutting off classes, fearing a cyber-attack on its network.
Users Beware Of The New PhishWP Threat, Accessing Credentials
Phishing has always remained the most significant threat vector, as records show that 2024 shows a threefold increase in the number of dangerous clicks compared to 2023. Email users must be aware of the latest PhishWP threat, which looks innocuous but is extremely dangerous because threat actors use it to create fake payment pages resembling trusted services like Stripe. The spoofed page looks so genuine that it easily lures unsuspecting users to enter their credentials, such as credit card details, expiry dates, CVV, and billing addresses.
The victim also gets a fake email confirmation email. The threat is more dangerous because it also accesses the OTP sent to your phone. PhishWP also connects with Telegram to send your stolen credentials to attackers when you hit the “Enter” button. That means your data becomes available on the darknet. The best way to mitigate such attacks is to install browser phishing protection tools that spot zero-hour phishing sites before they attack users. So, the mantra for staying safe is always to remain vigilant and avoid clicking on suspicious-looking emails and links.
The Largest Illicit Marketplace Is Allegedly Live On Telegram
If you think illicit marketplaces are only found on the darknet, wait until you hear this. The largest illicit marketplace, “Huinone Guarantee,” is running openly on Telegram. Cryptocurrency tracker Elliptic has reported that Huinone Guarantee, with sales transactions worth around $24 billion annually, is the largest-ever illicit online marketplace. Another tracker, Chainanalysis, has also said that previously, Huinone Guarantee’s annual turnover exceeded $49 billion. So, it comfortably overtakes “Hydra,” considered the largest ever darknet marketplace, whose annual turnover touched $5 billion over a six-year lifespan.
Huinone Guarantee’s products include personal data and tools for scammers to carry out their cybercriminal activities, including “pig butchering” schemes. Gullible investors are tricked into investing cryptos in pig butchering schemes where they are convinced that they get good returns. However, they lose money. Besides, these marketplaces provide avenues for laundering money. Last year, the Huinone Group launched its dollar-linked stablecoin, USDH. It has its crypto blockchain and a crypto wallet. Telegram has not responded as to whether the app still permits Huinone Guarantee to operate on the platform. However, Tom Robinson, CEO of Elliptic, says that Huinone Guarantee has been permitted to operate unhindered until now.
Codefinger Ransomware Allegedly Targets Active AWS Users
The Halcyon Threat Research and Intelligence team has confirmed a new ransomware campaign targeting AWS users. This campaign, Codefinger, leverages AWS’s server-side encryption with customer-provided keys (SSE-C) to encrypt data and then demand payment for supplying the symmetric AES-256 keys required for decrypting the information. Traditional ransomware encrypts local files or those in transit. However, Codefinger is dangerous because it uses SSE-C’s unique design to integrate directly with AWS’s secure encryption infrastructure to encrypt data.
That makes recovery impossible without the attacker’s key. This campaign shows that ransomware has evolved over the years. One way to avoid becoming victims of Codefinger is to use strong, phishing-resistant passwords and 2FA. Besides, users must not reuse their old passwords and avoid using the same passwords for different systems. AWS spokesperson has confirmed that AWS helps customers secure their cloud resources through a shared responsibility model. AWS notifies customers if they become aware of any exposed keys to enable customers to take necessary actions.
Fortinet: FortiGate Firewalls Experienced Zero-Day Attack
Cybersecurity firm Arctic Wolf has reported that an ongoing zero-day attack has targeted Fortinet FortiGate firewall devices since November 2024. Generally, FortiGate NGFW devices have a standard feature that allows administrators to access the command-line interface through a web-based management interface. Malicious threat actors have allegedly exploited a zero-day vulnerability in the Fortinet network to allow them to get unauthorized access and modify firewall configurations, steal credentials, and offer lateral movement within the compromised environment.
The attack has not yet targeted any specific organization or industry but has exposed vulnerabilities in FortiGate devices running on firmware versions 7.0.14 to 7.0.16. The attackers used spoofed IP addresses to conceal their activity in the jsconsole command-line interfaces. Arctic Wolf Labs has detected this malicious activity in multiple phases between November and December 2024. Arctic Wolf has recommended the following precautions.
- Disable the public management interface access.
- Update all firmware by patching devices to the latest stable version.
- Monitor continuously for anomalous activity.
- Use MFA and conduct threat hunting to identify signs of malicious activity.
This campaign underscores the threat of zero-day vulnerabilities and urges organizations and networks to act swiftly and prevent further intrusions.
Netherlands University’s Servers Hit By A Cyber Attack
The Eindhoven University of Technology in the Netherlands has suspended all lectures and other educational activities because of a cyber-attack on its network last Saturday. This leading institution in the Netherlands is a critical partner for ASML Holding NV, a chip-making giant. The university’s vice president, Patrick Groothuis, has described the switch-off decision to prevent worse outcomes. The university servers detected a surge of suspicious activities last week.
Cybersecurity experts are investigating the matter and have not confirmed any data breach yet. Besides, the attackers have also not communicated with the university authorities. Hence, their identities remain unknown. This attack gains significance because it provides a pivotal training ground for ASML talent. There can be international ramifications because of the ongoing US-China semi-conductor tensions, primarily because ASML is the sole manufacturer of advanced lithography machines essential for manufacturing high-end chips.